Cybersecurity’s Dirty Little Secret

“Who got breached today?” It seems that rarely does a news cycle go by without a revelation of some company, government entity, or web service experiencing a major breach with implications for vast numbers of people. The thinking has shifted from a mindset of “how can I prevent a breach?” to “I know it’s going to happen, how can I minimize the impact?” And what are those impacts? They range from embarrassment and brand degradation to significant financial loss, careers in shambles, and even companies going out of business.

The most severe breaches inevitably stem from powerful credentials (typically those logins used for administration) falling into the wrong hands. No one in their right mind would hand over the keys to their kingdom to a bad actor. But these bad actors are sneaky. They’ll get their hands on a relatively harmless user credential through social engineering, phishing, or brute force and use escalation techniques and lateral movements to gain super user access – and then all bets are off.

One of the foundational pillars of identity and access management (IAM) is the practice of privileged access management (PAM). IAM is concerned with ensuring that the right people, have the right access, to the right systems, in the right ways, at the right times, and that all those people with skin in the game agree that all that access is right. And PAM is simply applying those principles and practices to “superuser” accounts and administrative credentials. Examples of these credentials are the root account in Unix and Linux systems, the Admin account in Active Directory (AD), the DBA account associated with business-critical databases, and the myriad service accounts that are necessary for IT to operate.

PAM is widely viewed as perhaps the top practice that can alleviate the risk of a breach and minimize the impact if one were to occur. Key PAM principles include eliminating the sharing of privileged credentials, assigning individual accountability to their use, implementing a least-privilege access model for day-to-day administration, and implementing an audit capability on activities performed with these credentials. Unfortunately, we now have clear indicators that most organizations have not kept their PAM program on par with ever-evolving threats.

One Identity recently conducted research that revealed some alarming statistics when it comes to this most important protective practice. The study of more than 900 IT security professionals found that too many organizations are using primitive tools and practices to secure and manage privileged accounts and administrator access, in particular:

18 percent of those surveyed admit to using paper-based logs for managing privileged credentials

36 percent manage them with spreadsheets

67 percent rely on two or more tools (including paper-based and spreadsheets) to support their PAM program

Although many organizations are attempting to manage privileged accounts (even if that attempt is with inadequate tools) fewer are actually monitoring the activity performed with this “superuser” access:

57 percent admit to only monitoring some or none of their privileged accounts

21 percent admit that they do not have any ability to monitor privileged account activity

31 percent report that they cannot identify the individuals that perform activities with administrative credentials. In other words nearly one in three cannot assign the mandatory individual accountability that is so critical to protection and risk mitigation.

And if those statistics weren’t scary enough, data indicates that way too many organizations (commercial, government, and worldwide) fail to do even the basic practices that common sense demands:

88 percent admit that they face challenges when it comes to managing privileged passwords

86 percent do not change admin password after they are used – leaving the door open for the aforementioned escalation and lateral movement activities

40 percent leave the default admin password intact on systems, servers, and infrastructure, functionally eliminating the need for a bad actor to even try hard to get the access they covet.

The bottom line is simple, common-sense activities such as changing the admin password after each use and not leaving the default in place will solve many of the problems. But also an upgrade to practices and technologies to eliminate the possibility of human error or lags due to cumbersome password administration practices, will add an additional layer of assurance and individual accountability. And finally, expanding a PAM program to include all vulnerabilities – not just the ones that are easiest to secure – will yield exponential gains in security.

About the Author:Jackson Shaw is Vice President, Product Management at One Identity. He has been involved with directory, meta-directory and security initiatives for 25 years.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.